OP5 Monitor - How to monitor a specific Microsoft windows eventid

You can use a function builtin to NSClient. The function is called check_eventlog. Download the latest version of NSClient++ from this page:

When you have installed the NSClient agent on the Windows host. create a new check command on the OP5 server with the following definition:

$USER1$/check_nrpe -H $HOSTADDRESS$ -c check_eventlog -a "filter=id=$ARG1$"

Create a service that uses the check command above and set the following parameter:

check_command_args: 903

Newer versions of NSClient and OP5 Monitor also have an out of the box check called check_nrpe_win_eventlog that is defined as:

$USER1$/check_nrpe -s -H $HOSTADDRESS$ -c CheckEventLog -a "$ARG1$"

In this case, the service's parameter will be:

check_command_args: filter=id=903

This service will now check for event-id 903 in the and warn you if it finds any events with that id during the latest 24 hours.

The complete documentation for check_eventlog can be found here:

https://docs.nsclient.org/reference/windows/CheckEventLog/